Beruflich Dokumente
Kultur Dokumente
NAME
ettercap - multipurpose sniffer/content filter for man in the middle atta
cks
***** IMPORTANT NOTE ******
Since ettercap NG (formerly 0.7.0), all the options have been changed.
Even the target specification
has been changed. Please read carefully this man page.
SYNOPSIS
ettercap [OPTIONS] [TARGET1] [TARGET2]
If IPv6 is enabled:
TARGET is in the form MAC/IPs/IPv6/PORTs
Otherwise,
TARGET is in the form MAC/IPs/PORTs
where IPs and PORTs can be ranges (e.g. /192.168.0.1-30,40,50/20,22,25)
DESCRIPTION
Ettercap was born as a sniffer for switched LAN (and obviously even "hubb
ed" ones), but during the
development process it has gained more and more features that have change
d it to a powerful and flexi
ble tool for man-in-the-middle attacks. It supports active and passive d
issection of many protocols
(even ciphered ones) and includes many features for network and host
analysis (such as OS finger
print).
It has two main sniffing options:
UNIFIED, this method sniffs all the packets that pass on the cable. You c
an choose to put or not the
interface in promisc mode (-p option). The packet not directed to the
host running ettercap will be
forwarded automatically using layer 3 routing. So you can use a mitm atta
ck launched from a different
tool and let ettercap modify the packets and forward them for you.
The kernel ip_forwarding is always disabled by ettercap. This is done t
o prevent to forward a packet
twice (one by ettercap and one by the kernel). This is an invasive behav
iour on gateways. So we rec
ommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE
ENABLED. Since ettercap lis
tens only on one network interface, launching it on the gateway in offens
ive mode will not allow pack
ets to be rerouted back from the second interface.
BRIDGED, it uses two network interfaces and forward the traffic from one
to the other while performing
sniffing and content filtering. This sniffing method is totally stealthy
since there is no way to find
that someone is in the middle on the cable. You can look at this method
as a mitm attack at layer 1.
You will be in the middle of the cable between two entities. Don't use i
t on gateways or it will
transform your gateway into a bridge. HINT: you can use the content fil
There is no concept of SOURCE nor DEST. The two targets are intended to f
ilter traffic coming from one
to the other and vice-versa (since the connection is bidirectional).
TARGET is in the form MAC/IPs/PORTs.
NOTE: If IPv6 is enabled, TARGET is in the form MAC/IPs/IPv6/PORTs.
If you want you can omit any of its parts and this will represent an ANY
in that part.
e.g.
"//80" means ANY mac address, ANY ip and ONLY port 80
"/10.0.0.1/" means ANY mac address, ONLY ip 10.0.0.1 and ANY port
MAC must be unique and in the form 00:11:22:33:44:55
IPs is a range of IP in dotted notation. You can specify range with the (hyphen) and single ip with
, (comma). You can also use ; (semicolon) to indicate different ip addres
ses.
e.g.
"10.0.0.1-5;10.0.1.33" expands into ip 10.0.0.1, 2, 3, 4, 5 and 10.0.1.33
PORTs is a range of PORTS. You can specify range with the - (hyphen) and
single port with , (comma).
e.g.
"20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110
NOTE:
you can reverse the matching of the TARGET by adding the -R option to the
command line. So if you want
to sniff ALL the traffic BUT the one coming or going to 10.0.0.1 you
can specify "./ettercap -R
/10.0.0.1/"
NOTE:
TARGETs are also responsible of the initial scan of the lan. You can use
them to restrict the scan to
only a subset of the hosts in the netmask. The result of the merging betw
een the two targets will be
scanned. remember that not specifying a target means "no target", but s
pecifying "//" means "all the
hosts in the subnet".
PRIVILEGES DROPPING
ettercap needs root privileges to open the Link Layer sockets. After the
initialization phase, the
root privs are not needed anymore, so ettercap drops them to UID = 65535
(nobody). Since ettercap has
to write (create) log files, it must be executed in a directory with t
he right permissions (e.g.
/tmp/). If you want to drop privs to a different uid, you can export th
e environment variable EC_UID
with the value of the uid you want to drop the privs to (e.g. export EC_
UID=500) or set the correct
parameter in the etter.conf file.
SSL MITM ATTACK
While performing the SSL mitm attack, ettercap substitutes the real ssl
certificate with its own. The
fake certificate is created on the fly and all the fields are filled acco
dhcp:ip_pool,netmask,etc )
The following mitm attacks are available:
arp ([remote],[oneway])
This method implements the ARP poisoning mitm attack. ARP
requests/replies are sent to
the victims to poison their ARP cache. Once the cache has b
een poisoned the victims will
send all packets to the attacker which, in turn, can modify
and forward them to the real
destination.
In silent mode (-z option) only the first target is selecte
d, if you want to poison mul
tiple target in silent mode use the -j option to load a lis
t from a file.
You can select empty targets and they will be expanded a
s 'ANY' (all the hosts in the
LAN). The target list is joined with the hosts list (create
d by the arp scan) and the
result is used to determine the victims of the attack.
The parameter "remote" is optional and you have to sp
ecify it if you want to sniff
remote ip address poisoning a gateway. Indeed if you specif
y a victim and the gw in the
TARGETS, ettercap will sniff only connection between th
em, but to enable ettercap to
sniff connections that pass thru the gw, you have to use th
is parameter.
The parameter "oneway" will force ettercap to poison only f
rom TARGET1 to TARGET2. Use
ful if you want to poison only the client and not the rou
ter (where an arp watcher can
be in place).
Example:
the targets are: /10.0.0.1-5/ /10.0.0.15-20/
and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18
the associations between the victims will be:
1 and 16, 1 and 18, 3 and 16, 3 and 18
if the targets overlap each other, the association with ide
ntical ip address will be
skipped.
NOTE: if you manage to poison a client, you have to set
correct routing table in the
kernel specifying the GW. If your routing table is incorrec
t, the poisoned clients will
not be able to navigate the Internet.
icmp (MAC/IP)
This attack implements ICMP redirection. It sends a spoofed
icmp redirect message to the
mit
(su
ett
for
ettercap -T -s 'lq' will print the list of the hosts and exit
ettercap -T -s 's(300)olqq' will collect the infos for 5 minutes
, print the list of the local
profiles and exit
-C, --curses
Ncurses based GUI. See ettercap_curses(8) for a full description.
-G, --gtk
The nice GTK2 interface (thanks Daten...).
-D, --daemonize
Daemonize ettercap. This option will detach ettercap from the curr
ent controlling terminal and
set it as a daemon. You can combine this feature with the "log"
option to log all the traffic
in the background. If the daemon fails for any reason, it will cre
ate the file "./ettercap_dae
monized.log" in which the error caught by ettercap will be repor
ted. Furthermore, if you want
to have a complete debug of the daemon process, you are encouraged
to recompile ettercap in
debug mode.
GENERAL OPTIONS
-b, --broadcast
Tells Ettercap to process packets coming from Broadcast address.
-i, --iface <IFACE>
Use this <IFACE> instead of the default one. The interface can be
unconfigured (requires libnet
>= 1.1.2), but in this case you cannot use MITM attacks and you
should set the unoffensive
flag.
-I, --iflist
This option will print the list of all available network inter
faces that can be used within
ettercap. The option is particularly useful under windows where th
e name of the interface is
not so obvious as under *nix.
-Y, --secondary <interface list>
Specify a list of (or single) secondary interfaces to capture pack
ets from.
-A, --address <ADDRESS>
Use this <ADDRESS> instead of the one autodetected for the current
iface. This option is useful
if you have an interface with multiple ip addresses.
-n, --netmask <NETMASK>
Use this <NETMASK> instead of the one associated with the current
iface. This option is useful
if you have the NIC with an associated netmask of class B and y
ou want to scan (with the arp
scan) only a class C.
-R, --reversed
Reverse the matching in the TARGET selection. It means not(TARGET)
. All but the selected TAR
GET.
-t, --proto <PROTO>
Sniff only PROTO packets (default is TCP + UDP).
This is useful if you want to select a port via the TARGET speci
fication but you want to dif
ferentiate between tcp or udp.
PROTO can be "tcp", "udp" or "all" for both.
-6, --ip6scan
Send ICMPv6 probes to discover active IPv6 nodes on the link.
This options sends a ping
request to the all-nodes address to motivate active IPv6 hosts t
o respond. You should not use
this option if you try to hide yourself. Therefore this option is
optional.
NOTE: This option is only available if IPv6 support has been enabl
ed.
-z, --silent
Do not perform the initial ARP scan of the LAN.
NOTE: you will not have the hosts list, so you can't use the multi
poison feature. you can only
select two hosts for an ARP poisoning attack, specifying them thro
ugh the TARGETs
-p, --nopromisc
Usually, ettercap will put the interface in promisc mode to sniff
all the traffic on the wire.
If you want to sniff only your connections, use this flag to NOT e
nable the promisc mode.
-S, --nosslmitm
Usually, ettercap forges SSL certificates in order to intercept h
ttps traffic. This option
disables that behavior.
-u, --unoffensive
Every time ettercap starts, it disables ip forwarding in the kerne
l and begins to forward pack
ets itself. This option prevent to do that, so the responsibility
of ip forwarding is left to
the kernel.
This options is useful if you want to run multiple ettercap
instances. You will have one
instance (the one without the -u option) forwarding the packets, a
nd all the other instances
doing their work without forwarding them. Otherwise you will get p
acket duplicates.
It also disables the internal creation of the sessions for each
connection. It increases per
formances, but you will not be able to modify packets on the fly.
If you want to use a mitm attack you have to use a separate instan
ce.
You have to use this option if the interface is unconfigured (with
out an ip address.)
This is also useful if you want to run ettercap on the gateway. It
will not disable the for
warding and the gateway will correctly route the packets.
-j, --load-hosts <FILENAME>
It can be used to load a hosts list from a file created by the -k
option. (see below)
-k, --save-hosts <FILENAME>
Saves the hosts list to a file. Useful when you have many hosts an
d you don't want to do an ARP
storm at startup any time you use ettercap. Simply use this option
s and dump the list to a
file, then to load the information from it use the -j <filename> o
ption.
-P, --plugin <PLUGIN>
Run the selected PLUGIN. Many plugins need target specification, u
se TARGET as always. Use mul
tiple occurances of this parameter to select multiple plugins.
In console mode (-C option), standalone plugins are executed and t
hen the application exits.
Hook plugins are activated and the normal sniffing is performed.
To have a list of the available external plugins use "list" (w
ithout quotes) as plugin name
(e.g. ./ettercap -P list).
NOTE: you can also activate plugins directly from the interfaces (
always press "h" to get the
inline help)
More detailed info about plugins and about how to write your
own are found in the man page
ettercap_plugin(8)
-F, --filter <FILE>
Load the filter from the file <FILE>. The filter must be compile
d with etterfilter(8). The
utility will compile the filter script and produce an ettercapcompliant binary filter file.
Read the etterfilter(8) man page for the list of functions you can
use inside a filter script.
Any number of filters can be loaded by specifying the option multi
ple times; packets are passed
through each filter in the order specified on the command line. Y
ou can also load a script
without enabling it by appending :0 to the filename.
NOTE: these filters are different from those set with --pcapfi
lter. An ettercap filter is a
content filter and can modify the payload of a packet before forwa
rding it. Pcap filter are
used to capture only certain packets.
NOTE: you can use filters on pcapfile to modify them and save to a
nother file, but in this case
you have to pay attention on what you are doing, since ettercap wi
ll not recalculate checksums,
nor split packets exceeding the mtu (snaplen) nor anything like th
at.
Not
0010: 204d 6f64 6966 6965 64
Modified
Strip all the html tags from the text. A tag is every strin
example:
information.
EXAMPLES
Here are some examples of using ettercap.
ettercap -Tp
Use the console interface and do not put the interface in promisc
mode. You will see only your
traffic.
ettercap -Tzq
Use the console interface, do not ARP scan the net and be quiet. T
he packet content will not be
displayed, but user and passwords, as well as other messages, will
be displayed.
ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
Will load the hosts list from /tmp/victims and perform an ARP poi
soning attack against the two
target. The list will be joined with the target and the resulting
list is used for ARP poison
ing.
ettercap -T -M arp // //
Perform the ARP poisoning attack against all the hosts in the LAN.
BE CAREFUL !!
ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
Perform the ARP poisoning against the gateway and the host in
the lan between 2 and 10. The
'remote' option is needed to be able to sniff the remote traffic t
he hosts make through the
gateway.
ettercap -Tzq //110
Sniff only the pop3 protocol from every hosts.
ettercap -Tzq /10.0.0.1/21,22,23
Sniff telnet, ftp and ssh connections to 10.0.0.1.
ettercap -P list
Prints the list of all available plugins
FILES
~/.config/ettercap_gtk
Stores persistent information (e.g., window placement) between ses
sions.
ORIGINAL AUTHORS
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
PROJECT STEWARDS
;)
KNOWN-BUGS
- ettercap doesn't handle fragmented packets... only the first segment w
ill be displayed by the snif
fer. However all the fragments are correctly forwarded.
+ please send bug-report, patches or suggestions to <ettercap-betatesti
ng@lists.sourceforge.net> or
visit https://github.com/Ettercap/ettercap/issues.
+ to report a bug, follow the instructions in the README.BUGS file
PHILOLOGICAL HISTORY
"Even if blessed with a feeble intelligence, they are cruel and smart...
" this is the description of
Ettercap, a monster of the RPG Advanced Dungeons & Dragon.
The name "ettercap" was chosen because it has an assonance with "ethercap
" which means "ethernet cap
ture" (what ettercap actually does) and also because such monsters have
a powerful poison... and you
know, arp poisoning... ;)
The Lord Of The (Token)Ring
(the fellowship of the packet)